UC Davis Active Directory Unified Communications Design Whitepaper
Upcoming SlideShare
Loading in...5

UC Davis Active Directory Unified Communications Design Whitepaper






Total Views
Views on SlideShare
Embed Views



1 Embed 1

http://www.linkedin.com 1



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

UC Davis Active Directory Unified Communications Design Whitepaper UC Davis Active Directory Unified Communications Design Whitepaper Document Transcript

  • UC Davis Active Directory/UnifiedCommunications Design Whitepaper Adam Getchell, College of Agricultural & Environmental SciencesExecutive SummaryThe budget crisis our University is in challenges us to simultaneously increase our efficiency whilelowering our costs. The campus IT infrastructure can play a pivotal role in achieving these objectives.As such, a confluence of events (budget, aging infrastructure, rollout of a central ActiveDirectory/Exchange system (uConnect) presents a once in a decade opportunity to replace agingsystems with an infrastructure that serves the campus in the future, in a way that consolidates disparatesilos and provides uniform, high-quality service to the students, faculty, and staff of UC Davis. We can nolonger afford to run needlessly parallel systems (DNS, Kerberos, LDAP, email, calendaring, VoIP, etc.)based on different operating systems and platforms when uConnect, if implemented properly, has thepotential to provide these services and more while eliminating the costs of running an entire duplicateinfrastructure.Problem: UC Davis continues to operate in a distributed computing environment where each unit investsheavily on duplicate services that fail to integrate with each other. Furthermore, these aging systemswere designed to solve the computing problems of the 20th century and fail to take advantage of currentcomputing trends, such as cloud computing, public key infrastructure, Voice-over-IP, and so forth, thatcan provide cost savings and enhanced services to our community.Furthermore, the staff of the current infrastructure are in the same silos as the systems they support.The costs of staffing and running these services and infrastructure as-is may exceed the costs ofprovisioning an updated and integrated infrastructure designed with current and future capabilities inmind.Solution: An IT Infrastructure for the entire campus that supports the goals of the OrganizationalExcellence initiative1 should be constructed using the following principles:  Full-featured services (easy to use for clients)  Flexibility (allow room for clients to implement services not original to the design)  Interoperability (support Windows, Mac, Linux)  Stability/Security (follow best practices)At a minimum, the infrastructure should support the following services for the campus:  A secure computing infrastructure o Reliable, integrated network services (Domain Name System, DHCP, etc.) o Secure account and password management (e.g. Kerberos)
  • o Public Key Infrastructure (e.g. SSL certificates for websites, digital certificates for email, users, computers, etc.) o An electronic directory of services that can be used to automatically discover new systems and services (DDNS, web services, etc.) o An electronic directory of people that can be used to automatically lookup attributes and roles (e.g. email address, calendar availability, application role) o Single-sign on to University resources such as email, Banner, DaFIS, Kuali, WhitePages, web applications such as Timesheets and Recruitments, and partner applications such as UCOP’s At Your Service using identity federation (e.g. Shibboleth) o Accessibility to services from a wide variety of devices, including workstations, laptops, mobile devices, and media consumption devices such as the iPad and tablet computers  Unified Communications o Email o Calendar o Voice-over-IP telephony (with interoperability with other systems, e.g. Skype) o Voicemail (available on email) o Electronic FAX o Instant Messaging (with interoperability with other systems, e.g. GoogleTalk, AIM) o Audio/Video/Web-conferencing o Electronic document management and collaboration (e.g. SharePoint) to make progress towards the paperless office  Adherence of subscribers to the basic Cyber-Safety requirements o Software patching and updates o Anti-virus software o Reduction of non-secure network services o Robust authentication o Protection of Personal Information o Network firewalls o Physical security for critical infrastructure o Elimination of open mail relays o Provision of secure off-campus access to electronic resources (e.g. Virtual Private Networking) o Auditing of critical infrastructure o Disaster recovery for critical infrastructure o Web Application SecurityNo solution can be complete without considering staffing. A federated approach, which combines theefforts of folks in Information and Educational Technology with those IT staff in the colleges, schools,departments, and organizations, would be the best option for UC Davis. The current collaboration ofARM, CA&ES, and IET technical staff on the current uConnect project provides an example; suchcollaborations should become the rule, rather than the exception. Strong collaborations and formalworking relationships between centralized units and local units allow the innovation, specialized
  • knowledge, and business needs of unit staff to be integrated into the operations of the criticalinfrastructure balanced with best practices.These services touch every aspect of business done at the university, and provide a platform for futureIT initiatives. The current state of the university requires that changes be made immediately to increasesefficiency. This proposed design is a significant step towards providing a common set of uniform toolsto enable productivity across all of the University’s functional domains for faculty, students, and staff.Implementing this solution will result reduce duplicate services and save money.IntroductionAudienceThis paper is addressed to the executive decision makers, MSOs, managers, and technical staff in the UCDavis community.What this whitepaper isAs a whitepaper, it proposes a unified, best practices design for a campus-wide Active Directory andUnified Communications system based on a set of principles. These principles provide guidance towardsproviding a full-featured set of campus services that also provide a measure of cost-savings compared tothe existing campus technology infrastructure.What this whitepaper is notThis whitepaper does not attempt to address comprehensively:  Total cost for client systems Cost analysis for the large, central components of this architecture has been done elsewhere2; the reader is encouraged to consult these and other references. Due to the nature of campus software purchasing, and in particular the Microsoft Consolidated Campus Agreement, client software (e.g. Client Access Licenses) have traditionally been purchased at the unit/department level3. Units have always traditionally been able to opt into or out of such purchasing agreements, and alternative models are not considered here. However, the campus as a whole will save the costs of purchasing many server software components with the advent of the centralized system described in this whitepaper.This whitepaper is organized as follows:Design describes the design of each of the major parts in the UC Davis Active Directory / UnifiedCommunications system. Many of these parts are interdependent, and require other services tofunction properly.Implementation identifies the critical path with the order of overall steps for dependent services.
  • Discussion recaptures the purpose of the changes in terms of services added, cost savings, and otherfactors. It attempts to answer some of the questions that this project raises.Glossary gives a brief description of the technical concepts discussed in this design. It may be skipped byknowledgeable readers.The VisionConsider the following use-cases that such a system might provide:A student wishes to double major in another college. She goes online and fills out the change of majorpetition and submits it to a web-based document management system using her UC Davis credentials.The system notes that the student is an undergraduate; so it does not route them to the onlineapplication for admission to a new graduate program, but goes instead to the Dean’s Office of theoriginating college for approval. The counselor gets an email notification and logs into the documentmanagement system to review the student’s records and other files. Noting that the student is in goodstanding (on the Dean’s honor list) and on-track to graduate, he approves the request; it is then routedto the new college (where it is checked automatically for fulfilled prerequisites), and finally to theRegistrars. Upon approval by the Registrar’s Office, the student receives an email that their change ofmajor has been granted, along with the contact information of the student’s new major advisor. Thestudent has also been automatically added to mailing lists for the department housing her new major.A graduate student wishes to access the new compute cluster that his advisor has just recentlysubscribed to. He goes to the cluster web page and fills out the access form online, which is routed to hisadvisor for approval. In the background, the PI has a digital certificate associated with her email account,so when she sends his approval the routing application can verify that she’s the originator of themessage as it goes to the help desk ticketing system for the cluster. The ticket system notes the approvaland emails the graduate student the directions for creating an SSH public/private keypair and uploadingthe public key to the campus LDAP directory. After the graduate student does this, he replies to the helpdesk email. The cluster admin reviews the ticket system, adds permission for the graduate student’s UCDavis credentials to login to the cluster, and closes the ticket. Upon closure, the help desk ticket systemsends an email notifying the graduate student that he now has access to the cluster. He opens his SSHclient and logs in automatically using his Kerberos ID and SSH key.A professor on sabbatical has a year-long adjunct appointment at a prestigious university overseas. She’sworking on a paper with collaborators back home, so she logs into the web front end of the documentmanagement system using her UC Davis credentials, and notes that her collaborator has checked-inchanges to their paper. She compares the new changes with the previous version, and after annotating afew comments decides a more in-depth discussion is required. She opens her email client and beginscomposing a long message, but midway through her email client signals that her collaborator is onlineand available to chat. They open an IM session, which becomes so productive that they decide to talk inreal-time using video and voice calling. Her collaborator wants to bring in one of his graduate studentsworking on a paper that illustrates one of his changes, so they invite him to the conference call and openup an online whiteboard, where they discuss his paper with respect to hers.
  • These are just a sample of the possibilities that an integrated, robust IT architecture can provide to thecampus. So how do we get there while saving costs?DesignThe principles behind a UC Davis Active Directory / Unified Communications system are:Full-featured servicesThe services must be easy to use by the clients, requiring minimal technical configuration and time touse.FlexibilityWhile the infrastructure provides the basic services that most clients will need, it must also be flexibleenough so new features can be developed and added as needed. This approach allows room for clientsto implement services not original to the design.InteroperabilityThe services should be usable across the broad range of computing platforms on campus, includingWindows, MacOS, Linux, and mobile devices. Equivalent support should be provided to a client,regardless of choice of platform.Stability/SecurityCentral systems should be reliable and dependable, with uptimes of greater than 99.9%. The systemsshould be administered using industry-standard best practices, and systems security should be a toppriority. Excessive outages and security incidents hurt both the productivity and reputation of theUniversity.Cost-effectivenessThe systems should be evaluated for fiscal efficiency and designed using commodity componentswherever possible. New trends in cloud computing, consumerization of IT, and mobile devices should beevaluated with an eye towards delivering service efficiently at minimum possible cost, balanced againstthe other stated principles.The proposed design of a UC Davis Active Directory / Unified Communications system has many dynamiccomponents. These will be described below:Active Directory[Late-Breaking Note: The IT-Infrastructure Futures committee which convened May-October of 2011 todiscuss some of the suggestions in this paper, recommend that the campus pursue the Single-ForestSingle-Domain model. However, the following prescription is kept intact for discussion purposes, anddetails of the Single-Forest Single-Domain model are examined below.]
  • The proposed model for the UC Davis Active Directory design is a single forest, multi-domain model withthe following features:  An empty root domain: to isolate critical Enterprise and Schema Administrators from all other accounts  An account domain: to isolate user accounts from the domains that provide services, and allow for easier scripting against a single account domain  A resource domain: to isolate services such as Exchange and Lync from member domain/OU computers  A departmental domain?These principles are based on the concept that a domain is a security boundary within Active Directoryintermediate between a forest and an organizational unit (OU). OUs may be a good fit for many units,but provide less separation than domains.Other models considered:  Multiple forests: A forest is a stronger security boundary than a domain. The tradeoff is that services are more difficult to provision. Setting up Microsoft Lync across multiple forests requires redundant Lync implementations for each forest4 and results in duplicated work for Network Operations Center personnel.5 Network Authentication Control may not be workable if hardware switches are unable to talk to multiple Network Policy Servers in different forests.  Single forest single domain: This is workable for large centralized organizations, but probably does not mesh with the university culture. The advantage of this model is its simplicity. The disadvantage is that there are no security boundaries protecting a unit from another rogue unit in the domain, and it would be difficult to provision disparate security policies at the OU level. In particular, each School/College/Organization may have different enforcement of Cyber-Safety policies, as those decisions are delegated to the Deans and Vice-Chancellors. Finally, OUs have disadvantages compared with domains, and some UC Davis units have already requested separate domains. Removing this option might make the service less able to address client needs. The AD design as described offers some important features that specifically address the principles of full-featured, interoperable, stable, secure, cost-effective service. As well, it enables custom applications to be developed to address unit specific needs. Examples of custom applications that have previously been developed but cannot be leveraged by other units due to a lack of a flexible infrastructure are as follows:  CA&ES has developed an application which checks Banner for student enrollment, assigns students enrolled in a particular class into an AD group, and then assigns that AD group to the logon properties of particular computer labs. The result is that students enrolled in a course can be automatically provisioned to have login privileges (which can be controlled by day/time) to certain computers for a certain length of time (e.g. a quarter).
  •  L&S has developed an application that imports/writes important administrative and academic dates to user’s calendars to publish items such as Instruction beginning, Payroll compute, University observed holidays, and so forth. Integration between DavisMail (the student email system powered by Gmail) and uConnect can be accomplished using SAML and the Google Apps APIs.6 Microsoft’s Live@Edu / Office 365 for Education service sets up federation between a user domain (typically campus.ucdavis.edu) and the hosted services: Microsoft Office, SharePoint Online, Exchange Online, and Lync Online.7 It allows for the possibility of going to a cloud-based service offering on uConnect if that is deemed desirable.8 Many more applications and services of this nature are possible, and a structure which provides the flexibility to write them should be provided. To efficiently write such applications, user objects need to be in a central, well-known container (i.e. the account domain) so that slow directory traversal calls are avoided.Domain Name ServiceDomain Name Service is a foundational piece of the internet. Many security issues are present whichrequire careful attention.9 Active Directory is based upon Dynamic DNS. Best practices with respect toActive Directory and DNS are:  The DNS name of the forest is the DNS name of the organization (ucdavis.edu)10  DNSSEC should be implemented  DKIM should be implementedThe advantages for making the DNS name of the forest ucdavis.edu are: A broad range of services register SRV records, including some that enable easier client configuration, such as Autodiscover11 (which automatically connect Outlook clients to Exchange mailboxes) and SIP (for Lync clients). Clients can automatically find these services via DNS query  Kerberos realm coincides with user logon name and the user principle name (UPN)  The Certificate Server (cf. Public Key Infrastructure ) can be made authoritative for the forest and all users thereinDNS names are so central to services populating Active Directory that one cannot do a DNS renameoperation once Exchange 2007, Exchange 2010, Microsoft Office Communications Server 2007R2, orMicrosoft Lync 2010 has been installed.12
  • The current uConnect root forest name is ad3.ucdavis.edu. As uConnect has Exchange 2010 andOCS 2007R2 running, it cannot be renamed to ucdavis.edu. Therefore, a migration or some otherreplication (e.g. forest-forest trust) must be done to get uConnect users into the new system.Current migrations to uConnect, using automated tools have some tricky spots. This possibility wasnoted when discussions first began on Xeda/uConnect implementation for the campus. However, giventhe potential client base (~5,000 currently in uConnect versus several times that number for the campusat large) and commitments that early adopters would be willing to tolerate disruptions for the benefit ofthe campusi, the logical choice remains to continue forward with a design that benefits the entirecampus versus minimizing turmoil for early adopters. (Note that keeping the existing uConnect forestsets up a multi-forest model, which is suboptimal (cf. Active Directory ).)To implement this change, the new Active Directory DNS servers will need to be brought up alongsidethe existing Unix DNS servers. DNS zone transfers would be conducted to synchronize records betweenUnix and Windows DNS, and the Infoblox tool (which is already compatible with AD13) would beconfigured to write changes to Active Directory in addition to the existing Unix servers. Finally, aftersufficient use and confidence has been developed (incorporating input from Linux and MacOS users) theUnix DNS servers would be turned off and the AD DNS servers would perform all DNS based functions.Once this step was completed, the next exercise would be to configure AD DNS for DNSSEC, which isstraightforward.14 Units that wish to maintain their own DNS servers should be provided a mechanism toregister in DNSSEC.Finally, DomainKeys Identified Mail should be implemented for Exchange. DKIM provides for a means ofcryptographically validating the domain name associated with an email; it allows organizations toefficiently filter some types of spam email. It will be discussed in further detail below.Dynamic Host Control ProtocolCampus DHCP services are currently provided by Infoblox. Some units still manually address and/or runtheir own DHCP services.Once the campus goes to IPv6, DHCP is not needed to assign addresses, as clients can automaticallyconfigure their own IPv6 address without risk of collision (64-bits of the IPv6 address are assigned by theclients themselves, which is twice the total count of IPv4 addresses possible in the Internet). However, itis still useful to assign other information in DHCPv6, in particular, the IP addresses of the local DNSservers.Because services register with Active Directory’s Dynamic DNS servers, a DNS server becomes a catalogof services that client computers can use to find applications, in the same way that the LDAP directory isa catalog of people.i Initial meetings with Xeda Steering Committee on 1/12/2010; many subsequent further discussions
  • Windows Vista clients and later include DHCPv6 clients, and Windows Server 2008 includes a DHCPv6server and relay agent (used to relay DHCP messages from DHCP servers).15 A robust system of DHCPservers scaled for campus will work together with Dynamic DNS servers to make campus applicationseasy to find and use automatically by clients.KerberosAll faculty, students, and staff are eligible to obtain Kerberos accounts which authenticate to the centralcampus Kerberos servers. A first step for using many applications developed on campus is obtaining aKerberos account.iIn turn, the campus has a user/password management system, more than two decades old, whichhandles the provisioning and maintenance of client login accounts and passphrases to/from theKerberos servers to other systems needing this information. Finally, there are a variety of shadowsystems which takes direct dumps of user logins and password plain-text equivalents in order tointegrate their services with the existing Kerberos system. The shortcomings of the existing system can be immediately addressed by taking advantage of theKerberos Key Distribution Center (KDC) built-into Windows AD Domain Controllers (DCs). The distributednature of Windows AD DCs provides reliability equal or superior to the existing system (e.g. there will bemore Windows DCs in the new system than there are Kerberos KDCs in the current system), andKerberos integration is automatically built-in to Active Directory clients, eliminating the necessity forshadow systems.Standard practice is to make the Kerberos realm the domain name.16 As this will be the case for the ADforest ucdavis.edu, the mapping of hostnames onto Kerberos realms17 will be automatically handledvia DDNS, and AD clients will be able to automatically locate Kerberized services.18 Because Kerberizedservices running elsewhere are not automatically viewable, services that are intended to be availabledomain or forest-wide should use the Windows KDCs (which can be further assisted by using theSubsystem for UNIX-based Applications in Windows Server 200819).To implement this change, the Windows KDC would be populated with the accounts in the existing UnixKDCs. This requires a passphrase reset, and has already been done on the uConnect DCs. It would bedone for the new Windows KDCs, avoiding the pitfalls that cropped up in the uConnect migrationii. Aftersufficient use and confidence has been developed (incorporating input from Linux and MacOS users) theUnix Kerberos servers would be turned off and the AD KDCs would perform all Kerberos loginauthentications.Active Directory Certificate Services, SSL, and Public Key Encryptioni Thanks to Megan Richmond for pointing this out.ii For example, small subsets of users were unable to login due to conflicts with previous uConnect accountinformation.
  • A Microsoft Certificate Server is a server acting as a Certificate Authority (CA) for the forest. Manyapplications require a properly set-up CA.A certificate is only as good as its chain of trust.20 The trust anchor for the digital certificate is the RootCA.The best practice setup for the campus CA isi: 1. Obtain an Intermediate CA certificate for the campus CA from a certificate authority such as Verisign21 or InCommon (if they are capable of handling it)ii 2. The certificate server with the Intermediate CA certificate becomes the campus CA with a complete Trust Chain 3. Templates are created on the campus CA to provision several Issuing CAs to perform certificate server functions 4. The campus CA is taken offline, and optionally, locked in a safe. Because the campus CA has the only Intermediate CA certificate, it is the only server which, if compromised, allows impersonation of all certificates issued by the Issuing CAs for the ucdavis.edu domain. 5. The Issuing CAs perform all certificate requests 6. A separate web server/file server system is kept to store the revoke certificate list. Because access to this system is required by the Issuing CAs before they will startup, this system should be redundant 7. The campus CA is only ever brought online to define new templates for Issuing CAs or re- authorize Issuing CAs when their certificates have expired (i.e. yearly)A working example follows.The campus CA, certroot.ucdavis.edu, has the Intermediate CA certificate for ucdavis.edu(signed by a Root CA such as Verisign or InCommon) installed. It is now authoritative forucdavis.edu, and can issue digital certificates with the trust chain intact all the way to the Root CAs(Verisign or InCommon).Two issuing certificate servers, cert1.ucdavis.edu and cert2.ucdavis.edu, are broughtonline and authorized by certroot.ucdavis.edu. Before they will successfully start, twowebservers, revokedcert1.ucdavis.edu and revokedcert2.ucdavis.edu, are alsobrought online and setup with the revoked digital certificates list (initially empty).Then certroot.ucdavis.edu is physically shut down (and locked away), and only revived to re-authorize cert1.ucdavis.edu and cert2.ucdavis.edu when their authorizations expireyearly.i Special thanks go to Uwe Rossbach for sharing his research and experience on this topic.ii Experience with InCommon so far has shown some difficulties in getting SSL certificates properly issued;InCommon seems to have marketing but limited technical support and no CA.
  • As revokedcert1.ucdavis.edu and revokedcert2.ucdavis.edu are up and running,cert1.ucdavis.edu and cert2.ucdavis.edu readily startup and begin issuing digitalcertificates for Exchange, Lync, VPN, and many other services.The benefits of this system are:  The campus CA is protected from compromise  Microsoft Lync can be setup and installed  VPN and NAC/NAP can use user- or computer certificates to verify identities  Encrypting File System (EFS) can be turned on for all file servers in the campus Active Directory  Campus websites can easily request SSL certificates. o Client web browsers with root CA certificates pre-loaded automatically fully trust ucdavis.edu Secure Sockets Layer (SSL) websites with no additional work22  Clients can request certificates to use for email encryption.  Clients can request certificates to use for email digital signatures o Applications can be written using workflow incorporated with digital signatures.23 A purchasing application can be confident that an email from a buyer approving a transaction is really from that buyer  Applications can make use of Code Signing.24 Code Signing uses digital signatures to prove the authenticity of an application. Clients using that application can be confident of its originsLightweight Directory Access Protocol servicesCurrently, campus is provided with LDAP services integrated with a custom application which allows fordirectory entries to be marked public or private, as desired. These entries are then published, subject tothese rules, on websites and used by other applications which need directory information.LDAP is also provided by Active Directory, and is integrated into AD services in a way that a standaloneLDAP system is not, while still providing interoperabilityi with LDAP clients from multiple vendors.25 26 27As an example, setting the “Manager” attribute in AD does several things:  In Outlook 2010, when viewing Calendars the “Team:” view automatically lists all subordinates  In Outlook 2010, the “To Manager” Quickstep automatically addresses the Manager  In SharePoint, workflow routing to supervisor makes use of the Manager attributeThe last point is significant because SharePoint contains the Windows Workflow engine, which allowsclients to create simple, graphical rules to route Microsoft Office documents amongst each other usingthe built-in organizational chart that is present in AD using this attribute. Moreover, any .NET applicationusing Windows Workflow can also take advantage of this, as can any LDAP-aware application. Aneffective, locally controlled enterprise-wide organizational chart is available just by using this property.i A key issue is multi-value support, such as multiple addresses per user. Both Microsoft documentation and “in thefield” reports indicate this is supported, see Endnotes.
  • Because many kinds of information can be added as additional attributes28 to LDAP, there are a varietyof additional applications29 which are opened up by the presence of an easily accessible directory ofpeople, the most important of which is authentication.LDAP supports an extended operation called Password Modify.30 This, along with proper securityprocedures (such as disallowing anonymous access to this and other key operations), allows LDAP to beused as a replacement for the Central Authentication System (CAS). Note that LDAP is already beingused to handle wireless network authentication, i.e. MoobileNet/MoobileNetX.31CAS is currently used on campus to authenticate web applications. It has a history of some instabilityi,and moreover requires additional dedicated hardware to run in a robust, load-balanced manner. Usingthe AD LDAP servers in the ucdavis.edu forest immediately provides stability and load-balancing, andallows for CAS to be retired.LDAP authentication is supported on a number of popular programming languages/web platforms:  .NET32 33  Java via the Java Authentication and Authorization Service34 and JaasLounge35  Cold Fusion 36  PHP 37  Perl 38  Python 39  Smartsite 40  Plone 41  Drupal 42  Hannon Hill Cascade Server 43  Atlassian Confluence 44  Oracle45 46LDAP supports other authentication methods. Public keys can be distributed and authenticated usingLDAP.47 If a user has in their possession a USB key or hardware token with their private key, they will beable to authenticate using SSH if the public key is published in LDAP. One use case would be for clustercomputing users; in clusters managed by Computational Science and Engineering, researchers gainaccess to cluster resources (logins, batch queues, etc.) via SSH and public/private keypairs. Public-keycryptography is robust authentication mechanism that is superior to passwords48; those serviceswanting extra security would be able to use this if LDAP is correctly provisioned. As hardware tokensbecome more prevalent (e.g. in smartcards) efforts would be made to support this more robust, two-factor authentication scheme. Certain systems currently in use using hardware tokens could be migratedto public-key cryptography.To implement this change, a timetable should be published to the campus technical communityoutlining the changeover schedule and resources available to convert existing web applications over toi th th Last outage was August 18 , 2010. Last unsuccessful upgrade was October 8 , 2010.
  • LDAP or Shibboleth authentication (cf Single Sign On ). Efforts should also be made to accuratelyupdate the directory with business and other information, such as public keys and user password hashes(LDAP stores a one-way hash of passwords to prevent compromise of the LDAP database from affectingusers49), that would be used for business process flow and authentication respectively. Value-addedprojects, such as WhitePages, or applications that enable easy entry of business data, could be rewrittento facilitate easy and accurate entry of useful directory information.After an appropriate sunset period (no more than 2 years are recommended), CAS would be turned offand the systems retired. Concurrently, as new services were developed based on LDAP (e.g. organizationcharts, workflow, and public-key authentication) these would be released to the community along withinformation on how to take advantage of these new services.It’s worth noting that CAS can use AD/LDAP as an authentication backend.50 i Retiring CAS is not anecessity, but it does save the infrastructure/staffing costs to run a system that is less redundant thanthe backend services (LDAP) it is using.Single Sign OnIntegrating Kerberos, LDAP/Shibboleth authentication, and a public-key distribution system along withActive Directory effectively gives users Single Sign On for services within UC Davis. Taking this a stepfurther to integrate with enterprise services outside of UC Davis, such as At Your Service51, involvesincorporating Shibboleth, an open-source implementation for federated identity-based authentication.52Shibboleth 2 now incorporates interoperability with Microsoft Active Directory.53 Organizations such asCampusEAI provide the myCampus Single Sign-On widget54 to allow users to sign into applications suchas Microsoft Exchange, Google Apps, Microsoft Live@EDU, Zimbra, Sakai and many others acrossorganizational boundaries one time. Regardless of which solution is chosen or developed, the existenceof these services should spur adoption of a solution as soon as feasible.ExchangeEmail and calendaring are fundamental to business operations, and should be properly resourced. Whatare “proper resources”?Exchange 2010 has raised the limit of items enumerable in a single folder to 100,00055, and reduced I/Ooperations by nearly 70% with respect to Exchange 2007.56 Best practices for individual mail storageare57:  Primary mailbox of not more than 10GB  Archive mailboxes of up to 10GB58 (as many as desired)  No use of offline personal archives (.PST)59Based on these practices, a suggested pricing model for Exchange is:i Thanks to Jeremy Philips for pointing this out.
  •  Baseline usage mailbox for free (e.g. 2GB), to cover existing Cyrus users and units that find Cyrus’ no cost and low capacity attractive  Additional mail costs not in excess of current hosted Exchange providers ($5/month/user60) 61 62  Archive mailboxes assessed at less cost than primary mailboxesThe traditional concern that large user mailboxes will make backup/recovery operations difficult isresolved by Exchange 2010 SP1, which allows repair/recovery of individual mailboxes without takingdown the entire mailbox database.63By making the Exchange mail service free for a certain level of service (and opening up Outlook WebAccess for web browser-based clients or IMAP/S for alternate clients such as Thunderbird; Apple’sMail/iCal/Address Book already ties directly to Exchange64), the current Cyrus mail users can bemigrated off of those aging systems and savings can be recouped from the staff and infrastructureresources used to run Cyrus.Once Cyrus users have been migrated, the rest of the campus can be moved onto the new mail system.A proposed order of migration is listed in Implementation.When everyone on campus has either a mailbox or a contact, the full capabilities of Exchange can beused. Mailing list management can be moved to mail groups in Exchange. Web applications can bedeveloped (CA&ES, L&S, and the Law School have already written several) which leverage Exchange webservices to provide for automatic calendaring/appointments, automatic class list creation, roomscheduling, and so forth. These applications provide rich additional functionality.Consideration should be made on whether it is worthwhile to retain mailing-list only systems such asSympa, which has a rich list of features65, but may or may not provide significant value-add compared todeveloping applications from Exchange Web Services.66DomainKeys Identified MailDKIM is actually independent of DNSSEC, but is included in this discussion because mostimplementations of DKIM use DNSSEC. Several vendor solutions for DKIM on Exchange are present, suchas Axway67, which also provides a Spam filtering solution. Implementing a vendor DKIM solution such asAxway would provide for greater email security as well as cost-savings associated with retiring thecurrent campus SpamAssassin system, which has some undesirable traitsi.Microsoft Enterprise Voice iii Bulk-mail sent from reputable sources is almost always flagged as spam due to overly sensitive rules as currentlyconfigured on SpamAssassin.ii Special thanks go to Shuka Smith for sharing his research and experience on this topic.
  • The campus voice network is currently served by the Sonus network68, which provides service forcampus landlines, emergency services such as 911, and voicemail. There are also hooks for the Pinnaclebilling system, which is used by Communications Resources to bill phone use.As of the release by Microsoft of Lync 2010 (formerly Office Communications Server), Lync provides thecapability to directly connect to a PSTN69, reducing the need for the Sonus network. In particular, thecurrent EVM system for electronic voice mail can be replaced by the transcription and storagecapabilities of Lync delivered to the Exchange mailbox, and it may prove simpler to use the built-in IP-PBX capabilities of Lync.uConnect is currently running Office Communications Server 2007 R2. There are three drawbacks of thissystem, as implemented:70 1. The certificates used are self-signed (thus a broken trust chain ) 2. OCS 2007 R2 does not have PSTN connectivity, and must rely on the Sonus cloud 3. The DNS SRV record for OCS on uConnect is _sip._tls.ad3.ucdavis.edu, which is not discoverable by clients on the ucdavis.edu namespace.The design proposed by this paper fixes the aforementioned three issues in the following ways: 1. Certificates are obtained from cert1.ucdavis.edu with a complete trust chain 2. Lync 2010, due 11/17/2010,71 is used, providing PSTN connectivity 3. The forest DNS name is ucdavis.edu, thus the SRV record is _sip._tls.ucdavis.edu, discoverable by all clients on ucdavis.edu.In addition, further cost-savings would be realized when Sonus is retired, as its duties are handled byLync.Retiring Sonus would be a complex project, further complicated by the requirements of the Pinnaclebilling system. Analog phone service must continue to be provided until the last subscriber opts out.Nonetheless, the way forward is to use existing and future telephony systems (including billing andrates) based on software, SIP, and IP-based phones, and phase out older systems as soon as possible.Document Management with SharePointSeveral document management systems already exist on campus, and document management itself canbe defined in many ways. Microsoft SharePoint 2010 provides the following capabilities72:  Accessibility, upon proper authentication, from anywhere with an Internet connection  Complete integration with Active Directory, Exchange, and Lync.  Complete integration with Microsoft Office (e.g. Word, Excel, PowerPoint, Outlook, OneNote, Access) and Adobe PDF  Versioning, checkout, rating, and tagging for multi-user collaboration
  •  Rule Based Submission (e.g. automatic movement of submitted documents to particular libraries)  In Place Records Management for retention and eDiscovery  Metadata validation, indexing and management  Integration with cloud-based office suitesi  Ability to integrate with document-scanning solutions and manage electronic images of paper- based information73 74  Ability to extend basic SharePoint functionality by programming custom web parts using SharePoint Designer75 or .NET.76By implementing SharePoint within the new uConnect architecture, campus units by default get a web-based system with which to share and collaborate on documents which ties in with the rest of thesystems. For example, if Active Directory/LDAP is fully populated, SharePoint knows the supervisor andother team members of a particular user, and a SharePoint workflow which automatically routes theform to the supervisor can be easily built. The Presence and Availability of other people are visible inSharePoint, so that people working on the same document can open an IM window or web/videoconference call to discuss their changes. Finally, SharePoint 2010 offers simultaneous editing of thesame file (coauthoring) and the ability to stream PowerPoint presentations over the web77, greatlyfacilitating many common needs for faculty, students, and staff.Implementation of SharePoint depends upon several items:  The Internet Connector license must be bought to allow access to SharePoint from the Internet (estimated price, $4k)  Sufficient server and storage space must be allotted78 (typically 6-10 servers for a robust SharePoint infrastructure plus storage for all the documents) o If the SharePoint environment is virtualized, a number of considerations should be addressed79  Campus subscribers to uConnect must have Enterprise CALs via MCCA Units with a large investment in their current document management system might retain it based on cost-benefit analysis. However, many other units will find the addition of an enterprise-wide document sharing and collaboration system irresistible, and future web applications based on SharePoint could be developed to provide targeted solutions to the business requirements of departments, colleges, schools and units.iiCyber-Safetyi GoogleDocs, for example, as of now cannot handle complex formatting in Word documents with preciserequirements, such as legal documents. However, Office Web Apps handles Office documents natively.ii In the absence of a central SharePoint solution, many units already in uConnect are working on their ownimplementation, which gives an indication for potential popularity. In addition, UC Berkeley has CalShare, aSharePoint implementation. See: http://ist.berkeley.edu/services/is/calshare
  • Computer security, or Cyber-Safety, incorporates a number of concepts, the most basic of which are:80  Confidentiality  Integrity  AvailabilityThe specific UC Davis Security Standards are given in Exhibit A of Chapter 310, Section 22, in the UCDavis Policy and Procedure Manual.81 This proposed design directly addresses these practices as follows: 1. Software Patch Updates A centralized Windows Server Update Services system is setup in resource.ucdavis.edu for use by all campus Windows clients. A BigFix82 or similar system is setup in the resource domain to provide patch updates for UNIX, Linux, MacOS, and virtual clients (as well as Windows). 2. Anti-virus Software A centralized Anti-virus Software service, based on the campus site-licensed anti-virus software, will be provisioned in resource.ucdavis.edu. It will be configured such that the staff of individual units will be able to administer the anti-virus software on their local IT resources. 3. Non-secure Network Services The new design employs Microsoft’s Network Access Protection (NAP) in conjunction with 802.1x to restrict access to the network to devices which can pass a health check by a Network Policy Server. Devices on a Windows domain failing the health check can be redirected to a Remediation server which will apply patches and other features to allow the computer to come into compliance. Once the health check has been passed, the system may access the network. There are two ways to enable this:  DHCP (weak) – Can be bypassed by clients assigning their own IP addresses  802.1x (strong) – Cannot be bypassed by clients In the recommended way to enable this, campus network switches are configured to support 802.1x and authentication to the network (usually via LDAP). This in turn requires that the switches fully trust the Network Policy Servers; thus NAP is best done as a centralized service. 4. Authentication Robust authentication is provided for users via: a. A strong single sign-on password b. Public/private key pair c. Hardware device with digital certificate or public key
  • Authentication is thought of as applying to users, but with the advent of a campus CA, can also be applied to computers. For example, domain controllers, file servers, and other sensitive resources can be configured to reject connections from computers that do not have a valid digital certificate.83 These (IPSec) policies must be carefully tested.5. Personal Information With the advent of a campus certificate server, all file servers in the ucdavis.edu domain can turn on Encrypting File Services. To properly provision EFS and ensure that files can be recovered in the event that the holding account is deleted: a. A specific account holding the EFS Recovery Agent role must be established. b. Enterprise Administrators in the root domain ucdavis.edu only grant temporary use of the account to Domain and OU Administrators on an as-needed basis. This provides default encryption on all files stored on all fileservers with EFS enabled. Under the requirements of SB 1386, this would exempt the University from having to notify users if personal information is disclosed from a file protected by EFS.84 The campus certificate server also allows for the encrypting of email and databases via standard interfaces.6. Firewall Services Firewalls are widely deployed across campus. The upcoming migration of units to the campus AD/UC infrastructure provides an opportunity to check: organizations are not allowed to join until they show a properly-configured VLAN firewall. Because the services are standardized and well-known, firewall rulesets should be easier to write, and best-practice rulesets can be developed.7. Physical Security The campus AD/UC infrastructure ensures that much of the “crown jewels” of the campus IT infrastructure remains in secured campus datacenters with reliable power, networking, and HVAC. The design calls for two datacenter sites, which takes advantage of the load-balancing inherent in AD and allows for disruptive services upgrades on one datacenter without affecting the campus at large.8. No Open Email Relays The combination of Exchange 2010, DNSSEC, and DKIM means that: a. Unauthenticated users are not allowed to send email
  • b. The campus email servers are well-known and cryptographically validated by the outside world, eliminating the threat that a spammer masquerading as a ucdavis.edu user will land the campus on an email blacklisti 85 For those departments still wishing to run their own email servers, provisioning DNSSEC and requiring DKIM on all mailservers will maintain the benefits described above. 9. Proxy Services Implementing NAP has the side-benefit of giving the campus a robust VPN solution. Departments save the time/expense of running their own VPN, and users can be directed towards the campus VPN. This will eliminate improperly configured proxy servers. For those departments still wishing to run their own proxy server, the provisioning in LDAP of password hashes gives them access to robust authentication. 10. Audit Logs The campus.ucdavis.edu user account domain coupled with proper setup allows for a robust auditing mechanism86 when coupled with good third-party tool which collects systems logs from all AD/UC servers for separate log analysis. Note that units with their own domains are also able to audit their own resources; for reliability these logs should be collected on the central campus log analysis server. For best results, the third-party tool should be able to read log formats from Windows, Unix, Linux, and MacOS servers. In addition: a. An AD security group dedicated to Cyber Safety auditing should be established b. The UC Davis campus Cyber Safety auditors should be granted membership to this group c. Other unit Cyber Safety auditors should be granted membership upon request d. Member domains should not implement policies or mechanisms which block the group from resource access e. Members of the Cyber Safety group should audit user data only with explicit written permission from the chair, MSO, Dean or Vice Chancellor of the unit. f. Any domain, sub-domain, or domain organizational unit targeted for a Cyber Safety audit should receive prior notification i. The Dean or Vice-Chancellor of the unit may override the notification requirement at their discretion 11. Backup and Recovery The system calls for the use of Microsoft Data Protection Manager to handle the backup of Active Directory and the Unified Communications components (Exchange, Lync, etc.) This is a disk-to-disk system which is compatible with the campus current use of NetBackup. Properly configured, this provides two levels of backup (disk-to-disk for DPM and disk-to-tape fori This has happened several times in the past years
  • NetBackup of DPM) to complement the tombstone/previous versions first level restoral capabilities in Exchange and Windows file services. DPM has significant data storage requirements; for cost-effectiveness, several DPM servers coupled with Direct Attached Storage provide the best cost/storage ratio. 12. Web Application Security LDAP authentication provides an industry-standard, known-good authentication mechanism. In addition, CA&ES has developed a robust roles database (available as a web-service) for authorization. A roles database used in this context means a system which controls access (and provides auditing) to campus applications on a per-user, per-role, per-application, per-unit basis. The campus has other Identity Management/Roles Database system initiatives for other purposes, but they do not currently address the authorization problem in web applications. Deployment of this system (or another with this functionality) enables developers to consider the authentication and authorization problem solved, and move on to the other OWASP issues.The benefits of these and the measures listed above:  Provides immediate feedback and quarantine of insecure systems from the campus network  Provides widespread encryption which can protect personal information in documents, emails, and databases  Provides fault-tolerant secure physical hosting  Eliminates open relays and campus-on-email-blacklist problem  Provides VPN solution to campus  Provides easy auditing  Provides two levels of backup on critical data  Provides secure authentication and authorization processes for web applications and databases  Saves units the time/cost of doing these services themselves  Provides known, consistent quality  Provides functionality not available to individual units  Provides costs savings in purchasing software for whole campusImplementationThe previous section discussed a number of topics. In this section, the specifics are condensed downinto an implementation order and summary of necessary steps. Items in green are not on the criticalpath, and may be done concurrently, as time permits, or once confidence has been established that amigration is complete. 1. Setup the root AD domain ucdavis.edu a. Perform initial zone transfer between dns1.ucdavis.edu to root AD domain controller DNS servers b. Configure Infoblox to update AD DNS servers
  • c. Setup DNSSEC d. Publish tools/interfaces for ucdavis.edu sub-domains to add DNSSEC e. Setup DHCP and DHCPv6 f. Retire Unix DNS servers g. Retire older DHCP servers2. Setup campus.ucdavis.edu account domain for user accounts a. Set passwords on campus.ucdavis.edu to be the same as Kerberos passwords. Requires a password reset. b. Update computingaccounts.ucdavis.edu to change passwords on AD KDCs c. Update the Whitepages application to make changes against AD LDAP d. Setup user password hash storage in LDAP e. Publish tools/interfaces for web application authentication in LDAP f. Publish tools/interfaces for public key storage in LDAP g. Setup roles database and publish web services interface for web application authorization h. Setup Shibboleth i. Configure for federated authentication with At Your Service, Google Apps, Office 365 for Education, etc. j. Retire Unix LDAP servers k. Evaluate retiring CAS3. Setup resource.ucdavis.edu resource domain for forest-wide resources a. Setup Active Directory Certificate Services i. Setup certroot.ucdavis.edu ii. Setup cert1.ucdavis.edu, cert2.ucdavis.edu, revokedcert1.ucdavis.edu, and revokedcert2.ucdavis.edu iii. Turn off and securely store certroot.ucdavis.edu iv. Publish tools/interface for IT staff to obtain SSL certificates b. Setup Exchange 2010 i. Setup DKIM and spam filtering ii. Setup eFax, Fax-over-IP iii. Migrate Cyrus users to Exchange mailboxes with no-cost storage limits iv. Migrate CA&ES and current uConnect users v. Migrate remaining units vi. Retire Cyrus and SpamAssassin servers vii. Publish tools/interfaces to email and calendar functions viii. Evaluate sympa vs. Exchange/SharePoint web applications c. Setup Lync 2010 i. Setup Mediation server ii. Setup IM 1. Setup public IM connectors iii. Setup audio/video/web conferencing
  • iv. Setup Enterprise Voice 1. Setup voicemail and voice transcription 2. Integrate Pinnacle and billing systems 3. Migrate voice users to Lync VoIP v. Retire Sonus d. Setup Systems Center: Configuration Manager i. Setup Network Access Protection87 1. Apply AD forest schema extensions for NAP 2. Setup Network Policy Servers 3. Setup System Health Validators 4. Setup Reporting Point ii. Publicize to clients how to use VPN access through the Network Policy Servers iii. Retire SSL VPN e. Setup Systems Center: Data Protection Manager f. Setup Antivirus servers g. Setup WSUS h. Setup BigFix i. Setup Auditing Server j. Setup Subsystem for UNIX-based Applications k. Setup Apple Remote Desktop l. Setup Systems Center: Operations Manager m. Setup Systems Center: Virtual Machine Manager n. Setup Systems Center: Service ManagerStaffingThis design dramatically increases the complexity and scope of services offered compared to the currentuConnect services. Additional staffing and infrastructure resources must be allotted for success.The envisioned system cuts across a number of organizational boundaries and some re-organization as aresult of new duties and retirement of older systems may result. Even so, enough resources may not beallotted, simply because of the enormous breadth of technical knowledge required to successfullyimplement the design.The ARM/CA&ES/IET collaboration provides a roadmap for the way forward. Every stakeholder has avested interest in the success of this enterprise. Units that are willing and able to provide technicaltalent should have their staff put to good use. In order to effectively synchronize everyone towardstangible progress, they can be grouped as follows:  Core team and collaboratorsThis group consists of the core staff as provided to the project by ARM, CA&ES, IET and others,responsible for setting up, administering, running, and maintaining the forest-wide resources. As can beseen above, there are a large number of additional projects that should be done by units willing/able to
  • contribute technical staff. Examples of these types of projects are developing the varioustools/interfaces and applications that will provide services to clients.  Focus groupsThese groups consist of technical IT staff evaluating the progress the system is making on the designprinciples. Anyone interested in a focus group should be allowed to join, but the focus group chairs mustensure that the feedback collected is presented in a useful form to the core team and collaborators: 1. Full-featured services – This group tests the usability of the various aspects of the system for technical and non-technical users. 2. Flexibility – This group consists of interested outside parties that are planning to build exciting new applications and are willing to test using the campus AD/UC infrastructure as their foundation. 3. Interoperability – This group consists of MacOS and Linux sysadmins that provide feedback and test cases to ensure their platforms are fully supported on the AD/UC infrastructure. 4. Stability/Security – This group ensures that the security best practices envisioned in the design are maintained. 5. Cost-effectiveness – Added for completeness, this “focus group” is the core team and collaborators who ensure the implementation of AD/UC services is as efficient as possible. This implicitly includes the buyers who ensure prices for hardware and software take full advantage of UC discounts.  Unit IT contacts consuming AD/UC servicesThis group consists of the technical staff that provides local IT support. A large percentage of IT work willcontinue to reside in the units.GovernanceTo be successful, the project must not only have a talented and well-coordinated group to execute thesetup, administration, and migration to the new system, but there must also be an open processtowards setting the future direction of the project. The author and collaborators have ideas on a newgovernance structure (to be presented later) establishing project staffing as a center of excellence, andare open to further concepts.CompletenessThis design offers a wide variety of features, but it is not necessary that all clients take advantage of allof them. Clients may mix/match services as desired:  Email: Clients can connect to their Exchange mailboxes via Outlook Anywhere (Windows88, MacOS 89), IMAP/S, mobile devices, tablets, and web browsers without joining their devices to a Windows domain. Clients wishing to run their own mailservers may still do so, as long as they implement DKIM.
  •  Lync: Web-based clients are available for Lync services without installing software or joining a domain90 91. VoIP phones are independent network devices separate from client computers; using VoIP-enabled phones with Exchange integration requires that a user account be provisioned for these services; software client choice is flexible. Analog phones are still supported.  DNS: The Microsoft DNS servers can be configured to support wildcards for empty resource record sets92 to provide support for BIND’s DNS wildcards. Clients requesting sub-domains may also run their own DNS servers. DNSSEC is still provisioned throughout.  DHCP: Units may run their own DHCP servers on their networks, or hand-configure computers if desired.  Kerberos/LDAP: These are standard network services with standard interfaces. Microsoft is a member of the Kerberos foundation93 and has made Active Directory compliant94 with the latest IETF specification of LDAP.95  Web authentication/authorization: As specified, web developers can choose LDAP or Shibboleth for authentication. They can consume an authorization service or write their own.  Windows Domains: Windows domains provide administrative efficiencies, particularly for Windows clients, but MacOS or Linux clients do not need to join a Windows domain to benefit from services listed above.  Network Access Protection: NAP is intended to provide an extra level of security to clients joining domains in the forest, so that they do not jeopardize the common resources in Active Directory. Clients not on a domain need not have NAP configured.SupportFor best results, tools to simplify the burdens of local IT support must be added to the system. Theinclusion of the Systems Center tools provides the potential for:  Automated Server monitoring (Systems Center: Operations Manager)  Client hardware/software management (Systems Center: Configuration Manager)  Hyper-V virtual machine provisioning (Systems Center: Virtual Machine Manager)  Help Desk ticketing (Systems Center: Service Manager)Help Desk ticketing would greatly benefit subscribers to the system if they were able to pass ticketsbetween clients, local IT staff, and potentially, AD/UC systems staff and/or Networking OperationsCenter staff.Previous tools have been difficult to use; a project for a unified help desk should be started and chairedby the majority users of the system, i.e. local IT support.DiscussionThe project provides the following advantages to the campus:
  •  Robust, full-featured Unified Communications o A full-featured email and calendaring solution for Cyrus users o Accessibility via web browser, client software, VPN, remote desktop, or mobile devices o Opportunity to reduce telecommunications costs by leveraging VoIP o A manageable, scalable solution  Provides common, central services with secure access mechanisms o DaFISConnect (DaFIS on Windows Remote Desktop)i o WSUS and BigFix for software patching o Server log auditing o Server status updates via Operations Manager  A common directory which can be directly leveraged into workflow and other applications  A safe and secure computing platform incorporating Cyber-Safety best practices  Enterprise wide single sign-on, with provision for federated authentication o Benefits campus applications such as Kuali, Timesheets, Recruitments, and others o Built-in workflow for SharePoint and other workflow applications o Locally editable, up-to-date Organizational chart  Widespread use of digital certificates using either Web-of-Trust (public keys in LDAP) or Public Key Infrastructure (PKI) using Active Directory Certificate Services  A fault-tolerant design resilient to failures and cracking attempts  A platform on which to build future web and cloud applicationsThe project also saves the costs of running these older systems:  Staff/infrastructure for running Cyrus  Staff/infrastructure for running SpamAssassin  Staff/infrastructure for running DNS  Staff/infrastructure for running DHCP  Staff/infrastructure for running LDAP  Staff/infrastructure for running Kerberos  Staff/infrastructure for running CAS  Staff/infrastructure for running SSL VPNAt some future time, the project may save the costs of these systems:  Sonus  SympaA complex project raises many questions; some will be addressed below.96  We’ve been successful, so why change?i Currently provisioned on uConnect
  • True. But surely we have all seen that failure to adapt eventually leads to extinction. With respect toActive Directory, the previous incarnation was created before many of the features in the new designwere developed. To quote from Active Directory Design Principles:97 “The one thing to keep in mind is that when designing your Active Directory, never go at it from a, present needs, point of view. Technology and systems are changing so fast nowadays that you have to design with the most open and future-proof concept that you can think of.”  No one else does this.There really is a first time for everything, and we do have a unique opportunity. Everyone is ready forchange; we can take what we’ve learned and move forward. The current system is a hodge-podge ofsometimes incompatible systems that don’t offer the full range of functionality. This new design is a full-featured integrated whole with flexibility to add additional services and applications via industrystandard protocols.  To generate this many questions and concerns, the idea has to be flawed.Actually, many questions are good, as it shows engagement, and an engaged group makes betterdecisions and implementations. The current partnership between ARM, CA&ES, and IET shows a strongcommitment of talent and resources to solving these issues, and we suggest the collaboration beopened further. Everyone has a stake in the outcome.  Good idea, but this is not the time.This is the perfect time, because there are many people excited and working to make this happen rightnow. The state our university is in requires that we make changes and increases our efficiencyimmediately, and this is a significant step towards getting everyone a set of consistent tools to do theirwork.Everyone has a stake in this enterprise. While it is difficult to “design by committee” – it is crucial thatActive Directory / Unified Communications move in the technical directions that serve the needs of thecampus stakeholders. The knowledge of the needed technical directions resides in and therefore shouldbe directly represented by the stakeholders themselves. Agile processes have already been proven towork in a number of arenas98 99; it is worth repeating the “Agile Manifesto”100 here: Individuals and interactions over processes and tools Working software over comprehensive documentation Customer collaboration over contract negotiation Responding to change over following a plan
  • AcknowledgementsI wish to thank Tom Pomroy, Uwe Rossbach, and Shuka Smith for many hours of conversation indeveloping the topics in this whitepaper. The ideas presented here are a direct result of thesediscussions. I also wish to acknowledge the following reviewers, who contributed their input andperspectives to this paper:Bob Brewer, Information Systems Manager, Environmental Science & PolicyJamie Butler, Directory of Information Technology, School of LawJennifer Hughes, Information Systems Manager, Crocker Nuclear LaboratoryRob Kerner, Plant Sciences IT ManagerJeremy Philips, Director of Information Technology, Division of Social SciencesEric Prosser, Project Manager, Office of ResearchBen Ransom, System Administrator, College of EngineeringMegan Richmond, Lead Application Developer, Letters and Science Deans’ OfficePaul Waterstraat, Information Systems Manager, GeologyRevision HistoryInitial version: 10/13/2010Submitted Version: 1/25/2011Final Version: 12/29/2011GlossaryThe following is a selection of terms and definitions used in this discussion. Many unavoidably referenceother terms, which may or may not have abbreviations. For brevity, acronyms are defined with theirterm.Active Directory (AD): A Microsoft implementation of a variety of network services including101,  LDAP  Kerberos-based authentication  DNS  Central location for network administration and delegation of authority  Information security and single sign-on for user access to network based resources  The ability to scale up or down easily  Central storage location for application data  Synchronization of directory updates amongst several servers
  • Audio/Video/Web Conferencing: One-to-one, one-to-many, and many-to-many communication usingaudio (voice) and visual communications integrated with webcams and browsers.Certificate Authority (CA): A service issuing digital certificates.102Digital Certificate: In cryptography, a digital certificate (also known as an identity certificate or publickey certificate) is an electronic document that uses a digital signature (a mathematical scheme whichdemonstrates the authenticity of a document103) that binds together a Public Key with an identity(information such as the name of a person/organization, address, etc.).104Domain: In AD, a domain is a common flat database directory. Domains in AD are identified by their DNSname structure, or namespace. Domains can contain other domains and Organizational Units.DomainKeys Identified Mail (DKIM): DKIM is a method of associating a DNS domain name to an email,allowing a recipient to validate that a message was sent by the organization with that particular DNSdomain name. Validation uses public-key cryptography; the signer adds a domain name to the messageand then affixes a digital signature. The verifier recovers the signer’s public key using DNS, and verifiesthe signature.105Domain Name System (DNS): The essential phone book for the Internet,106 translating human-friendlyhostnames to the actual IP addresses used by networking devices (routers, gateways, computers, etc.).Domain Name System Security Extensions (DNSSEC): The original design of DNS did not include security,as it was designed to be a scalable, distributed system. DNSSEC is designed to protect clients fromforged DNS data (e.g. which can be used to redirect to forged sites) while maintaining backwardscompatibility.107 DNSSEC is also queried by DKIM to provide verifiers with the public key of the signer.108DNS Zone Transfer: A mechanism for replicating the databases containing DNS records across a set ofDNS servers.109 Nearly universal at one time, it is becoming less popular in favor of other databasereplication mechanisms that modern DNS server packages provide, such as Active Directory-IntegratedDNS.110Dynamic DNS (DDNS): A method/protocol/network service that provides the capability for a networkeddevice, such as a router or computer to notify a DNS server in real-time to make active DNSconfiguration changes, such as the hostname, the IP address, or new SRV records.111Dynamic Host Configuration Protocol (DHCP): DHCP is used on IP networks to configure computers withIP addresses and other information, such as the IP address of the local DNS server. It also provides acentral database for keeping track of computers connected to the network, and prevents two computersfrom being configured with the same IP address.112Enterprise Voice: In Exchange, Voice-over-IP telephony (including voicemail) integrated with Exchangeemail and calendars.
  • Extensible Messaging and Presence Protocol (XMPP): A network protocol used to handle IM andPresence.113Flat: In databases, flat is the opposite of relational. Every entry in the database contains all of itsinformation, and does not reference other entries.114Forest: In AD, a tree of trees sharing a common catalog, directory, and DNS structure. If ucdavis.eduis the forest, caes.ucdavis.edu and engineering.ucdavis.edu are trees in that forest.Group Policy Objects (GPO): In AD, a set of rules which control the working environment of users andcomputers. GPOs are used to provide a consistent set of services and environment and can be assignedto domains, OUs, and sites. As an example, GPOs can be used to install software and ensure that it is theversion defined in the GPO.Hostname: The human-readable Internet address of a computer. An example is: www.ucdavis.edu.Internet Protocol (IP): The primary communications protocol used for the Internet.115IP Address: The numeric network address for a device on the internet. There are two versions, IPv4 andIPv6. IPv6 was instituted to address the limited number of remaining IPv4 addresses116, and is the futureof the Internet.117  IPv4 addresses look like:  IPv6 addresses look like: 2001:db8:1f70::999:de8:7648:6e8Instant Messaging (IM): Real-time direct text-based communications between two or more people, alsoknown as online chat between known users (i.e. online chat can also be between anonymous users).118Email, in contrast, is asynchronous text-based communication between two or more people.Lightweight Directory Access Protocol (LDAP): The industry standard directory protocol, widelyaccessible to management and query applications.119Lync: Formerly known as Office Communications Server, Lync provides a unified instance for IM,Presence, Audio/Video/Web Conferencing, and Enterprise Voice.Kerberos: A computer network authentication protocol allowing nodes communicating over a non-secure network to prove their identity in a secure manner.120Mediation Server: In Lync, the Mediation server connects traffic from a basic media gateway (such asPSTN) using SIP to Lync clients. 121 122 123 124Network Access Protection (NAP): A Microsoft platform that controls access to network resources basedon a client computer’s identity (verified with a digital certificate) and compliance with policy.125 Software
  • to support policy enforcement must be installed on the client computer; it is currently integrated inWindows XP SP3126 and lateri; separate clients are available for MacOS and Linux.127Organizational Unit (OU): In AD, an organizational unit is a container used to simplify management.Often, administrative access is delegated at the OU level. All OUs in a domain share the same (flat)database. As a result, it is not possible to create two identically-named accounts in different OUs in adomain because the database requires that attribute be unique.Presence: In Lync, a combination of availability and willingness. Availability consults the user’s calendarto see if they are able to be contacted. Willingness is the user’s self-defined criteria on how receptivethey are to being contacted.Protocol: In networking, a formal description of digital message formats and the rules for exchangingthose messages.128Public Key Cryptography: A cryptographic approach using asymmetric key algorithms. A famous exampleis the use of prime numbers.129 It is very easy to verify that a particular number is the product of primes.It is computationally expensive to factor a large number into its component primes. Public Keycryptography uses mathematically related key pairs: a public key, which can be published, and a privatekey, which is kept secret. A message encrypted by the private key can be easily decrypted by the publickey. On the other hand, it is very difficult to determine the private key using the public key.130Public Switched Telephone Network (PSTN): Also known as plain old telephone service (POTS), it is thepublic telephone network used by landlines and mobile phones.131Secure Sockets Layer (SSL): A cryptographic protocol that provides for secure communications over opennetworks, such as the internet. Commonly used by web browsers to connect to trusted webservers,which provide an SSL certificate signed by a trusted CA. The follow-on to SSL is Transport Layer Security(TLS).132Service (SRV) Record: Data stored in DNS defining the hostname and port number of services for specificservices.133 Some examples of services which use SRV records:  Client SMTP authorization  Kerberos  LDAP  SIP  XMPPSession Initiation Protocol (SIP): A network protocol used to handle multimedia communications such asvoice and/or video calls over IP.134i Thanks to Curt Finley for pointing this out.
  • Site: In AD, a container of network addresses most often used to manage network traffic and replicationby assigning a cost value and replication schedule to address speed, reliability, availability, and otherphysical properties.Tree: In AD, single or multiple domains in a contiguous (DNS) namespace. For example,caesdo.caes.ucdavis.edu and caes.ucdavis.edu are in the same tree;caes.ucdavis.edu and engineering.ucdavis.edu are not.Unified Communications (UC): The integration of real-time communications such as Instant Messaging,Presence, Enterprise Voice, Audio/Video/Web Conferencing with non-real-time communications such asemail, voicemail, SMS (texting), and fax.135uConnect: The current Active Directory / Exchange service available for recharge to campusdepartments.136References1 http://oe.ucdavis.edu/2 http://gunrockstatus.ucdavis.edu/docs/Project%20Gunrock%20Cost%20Comparison.pdf/view3 http://iet.ucdavis.edu/microsoft/campus_agreement.cfm4 Private conversation with Shuka Smith, a programmer in CA&ES Dean’s Office working with uConnect on theOffice Communications Server 2007 R2 implementation5 Private communication with Mark Redican, Director of Communications Resources6 http://code.google.com/googleapps/faq.html7 http://office365.microsoft.com/en-US/education.aspx8 http://www.microsoft.com/Presspass/press/2010/dec10/12-08USDACloudPR.mspx9 http://www.your.org/dnscache/djbdns.pdf10 http://technet.microsoft.com/en-us/library/bb727085.aspx11 http://technet.microsoft.com/en-us/library/bb124251.aspx12 http://social.technet.microsoft.com/wiki/contents/articles/renaming-a-windows-2008-active-directory-domain.aspx13 http://www.infoblox.com/en/resources/white-papers/dns-dhcp-microsoft-active-directory.html14 http://technet.microsoft.com/en-us/library/ee649173(WS.10).aspx15 http://technet.microsoft.com/en-us/magazine/2007.03.cableguy.aspx16 http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-install/Kerberos-Realms.html17 http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-install/Mapping-Hostnames-onto-Kerberos-Realms.html18 Jason Garman, Kerberos: The Definitive Guide, (Sebastopol: O’Reilly Media Inc., 2003), 175-19519 http://en.wikipedia.org/wiki/Windows_Services_for_UNIX20 http://en.wikipedia.org/wiki/Chain_of_trust21 https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=AR65722 http://technet.microsoft.com/en-us/library/dd361898.aspx23 http://www.codeguru.com/csharp/csharp/cs_misc/security/article.php/c1649124 http://en.wikipedia.org/wiki/Code_signing25 http://technet.microsoft.com/en-us/library/cc750824.aspx26 http://technet.microsoft.com/en-us/library/cc785254(WS.10).aspx27 http://stackoverflow.com/questions/2099181/is-active-directory-really-ldap-compliant28 http://www.zytrax.com/books/ldap/ch3/29 http://netmesh.info/jernst/digital_identity/microsoft-turning-the-ldap-directory-into-a-graph-database
  • 30 http://www.faqs.org/rfcs/rfc3062.html31 http://status.ucdavis.edu/index.php?f_path=top&o_path=past32 http://support.microsoft.com/kb/32634033 http://support.microsoft.com/kb/31674834 http://www.javaactivedirectory.com/?page_id=7235 http://jaaslounge.sourceforge.net/36 http://coldfusion.sys-con.com/node/15422537 http://adldap.sourceforge.net/38 http://www.oneunified.net/blog/OpenSource/perl_activedirectory.article39 http://stackoverflow.com/questions/140439/authenticating-against-active-directory-using-python-ldap40 http://smartsite.org/smartsite.html?ch=DEF&id=400341 http://plone.org/documentation/kb/single-sign-on-with-active-directory42 http://drupal.org/project/webserver_auth43 http://www.hannonhill.com/kb/Authentication/44 http://confluence.atlassian.com/display/DEV/Mapping+Active+Directory+to+Confluence45 http://download.oracle.com/docs/cd/E12096_01/books/admintool/admintool_Security7.html46 http://download.oracle.com/javase/tutorial/jndi/ldap/authentication.html47 http://www.ece.rutgers.edu/~parashar/Classes/03-04/ece572/project-reps/p-bisbal.pdf48 http://en.wikipedia.org/wiki/Public-key_cryptography49 http://www.faqs.org/rfcs/rfc3112.html50 http://www.jasig.org/cas_server_3_4_351 http://atyourservice.ucop.edu/52 http://en.wikipedia.org/wiki/Shibboleth_(Internet2)53 http://shibboleth.internet2.edu/shib-v2.0.html54 http://www.campuseai.org/integrations1;jsessionid=5938AEABCF3C258827FFD979F233C4A255 http://sysadmin-talk.org/2010/05/large-is-not-always-best-when-it-comes-to-performance-but-it-helps-mailbox-performance-in-exchange-and-outlook-2010/56 http://msexchangeteam.com/archive/2010/02/22/454051.aspx57 http://wikibon.org/wiki/v/MS_Exchange_2010:_Mega_Mailboxes,_Personal_Archives,_Goodbye_PSTs58 http://support.microsoft.com/kb/83292559 http://www.howexchangeworks.com/2009/08/archive-mailbox-in-exchange-2010.html60 Communication from Dave Wallen, Manager of Microsoft Online Services Group from Computer GeneratedSolutions61 http://news.cnet.com/8301-13860_3-20020029-56.html62 http://www.microsoft.com/liveatedu/learn-about-office-365.aspx63 http://msexchangeteam.com/archive/2010/08/23/455899.aspx64 http://www.apple.com/macosx/what-is-macosx/mail-ical-address-book.html65 http://www.sympa.org/overview/features66 http://msdn.microsoft.com/en-us/library/bb204119(EXCHG.140).aspx67 http://www.itwire.com/sponsored-announcements/25395--axway-extends-mailgate-with-virtualised-offering68 http://www.sonusnet.com/69 http://www.infoworld.com/d/windows/microsoft-lync-2010-finally-communications-server-worth-the-effort-51570 Microsoft Office Communications Server 2007 Edge Server Deployment Guide,http://www.microsoft.com/downloads/en/details.aspx?FamilyId=ED45B74E-00C4-40D2-ABEE-216CE50F5AD2&displaylang=en71 http://www.microsoft.com/en-us/lync/default.aspx72 http://blogs.msdn.com/b/mcsnoiwb/archive/2009/11/05/document-management-in-sharepoint-2010.aspx73 http://www.knowledgelake.com/solutions/technology-solutions/Pages/document-imaging-management-sharepoint.aspx as one example solution, others exist from Xerox74 http://www.avop.com/blog/joanne_gaudet/xerox_mfps_now_support_microsoft_sharepoint_server_2010
  • 75 http://msdn.microsoft.com/en-us/library/ff630941.aspx76 http://channel9.msdn.com/Blogs/funkyonex/Best-Practices-on-Building-SharePoint-2010-Web-Parts-with-Visual-Studio-201077 http://www.directionsonmicrosoft.com/samples/49-samples/940-document-sharing-with-office-2010-and-sharepoint-2010.html78 http://www.microsoft.com/downloads/en/details.aspx?FamilyID=FD1EAC86-AD47-4865-9378-80040D08AC55&displayLang=en#filelist79 http://www.ditii.com/2010/06/03/sharepoint-2010-virtualisation-planning-and-technet-webcast-deep-dive-microsoft-virtualization-best-practices-for-sharepoint-2010-level-300/80 Matt Bishop, Computer Security: Art and Science (Boston: Addison-Wesley, 2003), 3-25.81 http://manuals.ucdavis.edu/ppm/310/310-22a.pdf82 http://www.bigfix.com/content/breakthrough-technology-revolutionary-economics83 http://technet.microsoft.com/en-us/library/bb742429.aspx84 http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html85 http://www.mxtoolbox.com/blacklists.aspx86 http://www.windowsecurity.com/articles/Auditing-Users-Groups-Windows-Security-Log.html87 http://technet.microsoft.com/en-us/library/bb681008.aspx88 http://technet.microsoft.com/en-us/library/bb123741.aspx89 http://www.officeformachelp.com/outlook/exchange/faqs/#outlookAnywhere90 http://communicatorteam.com/archive/2010/10/19/1763.aspx91 http://blogs.catapultsystems.com/tharrington/archive/2010/11/08/lync-conferencing-client-comparisons.aspx92 http://en.wikipedia.org/wiki/Wildcard_DNS_record93 http://www.kerberos.org/sponsors/index.html94 , Microsoft Corporation, Active Directory LDAP Compliance (October 2003), 3-1395 http://tools.ietf.org/html/rfc451096 http://www.ciozone.com/index.php?option=com_myblog&show=How-To-Protect-Good-Ideas-From-Getting-Shot-Down.html&Itemid=71397 http://www.packtpub.com/article/active-directory-design-principles-part-198 http://en.wikipedia.org/wiki/Agile_software_development99 http://agile-architecting.com/Archive/Agile%20Systems%20Engineering.pdf100 http://agilemanifesto.org/101 http://en.wikipedia.org/wiki/Active_Directory102 http://en.wikipedia.org/wiki/Certificate_authority103 http://en.wikipedia.org/wiki/Digital_signature104 http://en.wikipedia.org/wiki/Digital_certificate105 http://en.wikipedia.org/wiki/Dkim106 http://en.wikipedia.org/wiki/Domain_Name_System107 http://en.wikipedia.org/wiki/DNSSEC108 http://tools.ietf.org/html/rfc5585#section-4.4109 http://en.wikipedia.org/wiki/DNS_zone_transfer110 http://technet.microsoft.com/en-us/library/cc978010.aspx111 http://en.wikipedia.org/wiki/Ddns112 http://en.wikipedia.org/wiki/Dhcp113 http://en.wikipedia.org/wiki/Extensible_Messaging_and_Presence_Protocol114 http://en.wikipedia.org/wiki/Flat_file_database115 http://en.wikipedia.org/wiki/Internet_Protocol116 http://en.wikipedia.org/wiki/IPv4_address_exhaustion117 http://en.wikipedia.org/wiki/IPv6118 http://en.wikipedia.org/wiki/Instant_messaging119 http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol120 http://en.wikipedia.org/wiki/Kerberos_(protocol)
  • 121 http://blogs.technet.com/b/drrez/archive/2009/12/01/direct-sip-configuring-mediation-server.aspx122 http://technet.microsoft.com/en-us/library/ff793475.aspx123 http://www.ocspedia.com/fe/Microsoft_Lync_Topology_Changes.aspx?ArticleID=105124 http://gunrockstatus.ucdavis.edu/blog/gunrock-ocs-hardware-infrastructure-planning125 http://technet.microsoft.com/en-us/network/bb545879.aspx126 http://technet.microsoft.com/en-us/library/bb632788.aspx127 http://en.wikipedia.org/wiki/Network_Access_Protection128 http://en.wikipedia.org/wiki/Communications_protocol129 http://en.wikipedia.org/wiki/Integer_factorization130 http://en.wikipedia.org/wiki/Public-key_cryptography131 http://en.wikipedia.org/wiki/Public_switched_telephone_network132 http://en.wikipedia.org/wiki/Secure_Sockets_Layer133 http://en.wikipedia.org/wiki/SRV_record134 http://en.wikipedia.org/wiki/Session_Initiation_Protocol135 http://en.wikipedia.org/wiki/Unified_communications136 http://xeda.ucdavis.edu/